A
group calling itself Gnosis has pulled off a massive heist of data
from Gawker Media, the New York-based blog network owned by Nick
Denton. But perhaps "massive" is a bit of an
understatement.

Gawker,
perhaps best known for is unusual
procurement of a lost iPhone prototype
and ensuing fury from Apple, owns the popular blogs Gawker,
Gizmodo,
Jalopnik,
Jezebel,
Kotaku,
Lifehacker,
Deadspin,
Io9,
and Fleshbot.
In a blog
post
on Sunday, the petulant commented, "We're deeply embarrassed by
this breach."

You
Might Want to Change Your Password Now

Posted
around the internet are juicy nuggets of what was once Gawker
and its customer's secure private data. The posts include the
site's entire PHP-heavy source (a fun read if you're a web dev),
thousands of user passwords, server logs, staff emails, staff chats,
and tons of information on Gawker
chief Nick Denton and his various (compromised web accounts).

After
17 hours of cracking, the Gnosis team is offering up over 273,789
passwords of Gawker
users. And they say they expect to have 500,000+ before they're
done. That represents roughly half of the purloined database of
1,247,897 user entries, which in turn is roughly 80 percent of the
entire accounts on the site (in other words, the hackers expect to
compromise +30% of the total users' passwords).

Interestingly,
2,650 users were using either "password" or "qwerty"
of their password.

Many
Gawker
staffers seemed be using short common words or pop-culture names as
their passwords. And Nick Denton appears to be a repeating four
digit pattern.

The
group mocks:

You
would think someone like Nick Denton who likes to run his mouth

and
taunts such an unforgiving mass like Anonymous, would use a more secure password than
"24862486". The sad thing is he probably believes this password is "secure" because he likes to use
it everywhere!

Gawker
was using an outdated encryption algorithm, DES ("Data
Encryption Standard") so the hackers only needed to figure out
the first eight characters of the password to log in.

The
result is that if you have a longer password, your password and the
rest of your online accounts should be safe.

In
an interview
with The
Next Web,
a member of the group states, "We apologize that you
were caught in the crossfire of this attack, if you have a
sufficiently good password over 8 characters then you are most likely
not at risk, anyone could have did what we did, it was wide open
for everyone to exploit, we just got there first."

If
your password was insecure and you use it on other locations,
beware. Gnosis already emphasized this fact by posting tweets
to the Gawker
account and posting pictures and text to Nick Denton's personal
Flickr account.

HD
Moore, a security research who works for ComputerWorld,
has outlined a procedure for you to check if your email has been
compromised:

Gnosis,
according to the TNW
interview, is an invite-only hacking and coding club consisting of
"13 members, with three 'others'". The group seems
unconcerned about retaliation from authorities, insisting that the
attack will just force Gawker
to be more open and humble.

The
group frequents the popular image board site 4chan,
which Mr. Denton publicly taunted over the summer. And their
Twitter posts and interviews reveal that at least some of their
members support Wikileaks.

Yet
Gnosis is not 4chan
or "Anonymous" -- the greater pool of 4chan
hackers. The group has made a great effort to emphasize that
point. Likewise, they do not appear to have any affiliation to
Wikileaks,
other than that they are admirers. They reportedly have no
affiliation with recent
attacks on banks that opposed Wikileaks;
those attacks were reportedly the work of Anonymous.

As
to why they did the attack, aside from "helping" Gawker
realize
that its security was weak, they say that they were inspired by Mr.
Denton's arrogance, which he displayed towards the tech-savvy 4Chan
community.

In
the TNW
interview, the group comments, "We read about [Mr. Denton's
insulting comments towards 4Chan]
as they happened and thought nothing of them but a member
brought it up and we decided to see if we could get inside Gawker but
the large gap was because we didn’t really care at the time.
But after a quick pentest we discovered how truly arrogant they were,
which makes more sense if you know the levels of security within
Gawker."

The
group has ruled out conducting another attack of similar scope in the
near future, but did mention that they have several "project"
they are working on. States the group, "Well, we have
a few pokers in the fire, but nothing we can discuss. We will
however re-visit Gawker
sometime in the future and see if they have improved their
security and fixed the numerous holes. I hope they will, they
mentioned they were hiring IT experts, whatever that means."

In
an interview with GeekoSystem,
the group [perhaps jokingly] suggests that Mr. Denton hire them for
security consultation. Comments a group member, "They made
several mistakes which contributed to their compromise - leaving
passwords literally lying around, using the same password for
multiple accounts and services (A lot were weed related, perhaps
they had been smoking a bit too much and forgot some basic security
principles? (GANJA framework anyone?!)). Unfortunately, I am
afraid that until Gawker Media *do* hire us we cannot report fully
on any of our findings. Sorry Nick!"

What
Was Learned

Ultimately,
if there's one thing this incident reminded the general public of,
it's that the web is still very much like the Old West. Those
who feel like it's a warm and safe place are underinformed.

If
you insult the wrong person in this environment, there's a good
chance you will be attacked. If you and your employers were
smart, such attacks may fail leaving hackers with only "undesirable"
routes like distributed denial of service. But a lot of it
comes down to just how much you anger certain individuals. The
angrier some folks get, the more they'll fully leverage the ever
growing toolkit of vulnerabilities.

Is
this wrong? Many would argue it is. Exposing users' email
addresses could lead to them getting spammed, but exposing their
passwords is far more dangerous. While many of the passwords
were likely used exclusively on the Gawker network, other users may
find multiple accounts across the web compromised.

But
at the end of the day right and wrong won't help you out a whole
lot. Like in the Old West, the authorities likely aren't going
to catch the bands -- not all of them at least. So for the most
part you have to fend for yourself.

Use
secure passwords. Passwords should be at least 16 characters --
a good way to be able to accomplish this with something memorable is
to use a passphrase.

If
your information is compromised, change all of your affected
passwords and inform pertinent administrators as soon as possible.
Multiple password changes may be necessary to truly resecure your
account.

Comments

Threshold

Username

Password

remember me

This article is over a month old, voting and posting comments is disabled

One ultra-simple for things like accounts at blog-type sites (like here) that I don't care if it gets released.

One secure (lower and upper case, numbers, symbols, no dictionary words or "l33t" facsimiles thereof,) for more important, but not financial uses. (Email, social media, etc.)

One secure for financial uses, with variation per use. So my password at one bank's website is not the same as for another's, even though they're based on the same 'core'.

I keep an encrypted text file that contains just the DIFFERENCES for my financial passwords. (AKA, the file doesn't contain the 'base', and isn't secured with that 'base', so that even if someone gets into the file, they still won't know my financial password.)

I change the three "base" passwords once every 2-3 years.

And, I use a completely different password for work use. I don't want even the remotest possibility of my work's IT department getting a password that could be used for any of my personal stuff.

So hackers have my gawker password. My gawker account was created with an email address that is my spam-magnet, and isn't personally-identifiable. That email address doesn't use my "simple" password, so they can't get into even that email account. Yes, my gawker account may have the same user name as some other sites (although it might not, I use a few different ones,) and the same password; but worst case they'll make posts as "me" (well, my handle, anyway,) on random tech sites. Ooooh. Big deal.